This document is to provide a flow of how to integrate Qualys Virtual Scanner Appliance into your DevOps pipelines. This is a tool, vendor, and cloud environment agnostic approach that will outline what calls you need to make to perform specific actions in your pipeline for building images, scanning them, and make approval decisions based on the scan results via API calls. This document focuses on the instance and virtual machine image building, while the logic behind some of the calls listed aresimilar toa container image pipeline, the endpoints for Qualys API for Container Security are different than those shown here. The Container Image Build Pipeline documentation and flow will be covered in another document.

Summary

This document outlines how to implement vulnerability and compliance scanning in your CICD pipeline using a Qualys Scanner Appliance, physical or virtual. Looking at where in the pipeline to integrate and how to set thresholds for ensuring virtual machine builds adhere to your security governance requirements.This documentwill cover what API calls areneeded,what information isneededfor the Qualys API calls,and how to process the responses.

Depending on your internalprocessesand requirements there may be a need to scan more than once.You may implement scanning as part of thevirtual machine image buildingphasesor in your testing andvalidationphase.The idea is to implementaset of standardsthat must bemet foranimage build to pass.This helps ensurethatmachines deployedfrom these approved images arefree of criticalvulnerabilities and meet thecompany'ssecurity configurationbenchmarks.

Design Considerations

When to perform scans?

Vulnerability and compliance scanning may beintegrated into the testor verifyphases of your CI/CDpipelines.Almost all willneed tobuild vulnerability andcompliance scanning intotesting andvalidationsteps of the imagebuildingprocess tohelp ensure that thevirtualmachines that aredeployed from thoseimages containthe latest software patches,are as free as possible ofcritical vulnerabilities, meetthesecurity configuration requirements, and containall theagents required by both ops andsecurity.If therequiredminimums are met forimage building requirements, then the image will passand can then be usedfor deploying images.

Base Images

It is recommended to implement scanning as part of the base image creation processes and use the results to pass or fail a build. If a build fails because of the vulnerability scan results, the virtual machine can have patches applied and rescanning of the system X number of times. This iterative approach will ensure the base image builds contain all available OS patches at build time and ensure the virtual machines images do not contain vulnerabilities that violate the established thresholds for image approval.

This is a great opportunity to ensure virtual machine used to create base images are also hardened to the security benchmarks used by the company for configuration compliance. This can be accomplished by using Qualys Policy Compliance scanning in the pipeline and using the results to assist in determining pass/fail of build jobs for virtual machine images. If a virtual machine passes the compliance scan, this will ensure the images created from the virtual machine will already be hardened to the organization’s configuration compliance standards.

Scanning in the build pipeline

As part of the application team build processes, just like the virtual machine base OS image building process, vulnerability and compliance scanning should be implemented. This will help ensure that the virtual machines being built contains no known critical vulnerabilities and that no configuration changes are made that violate the established security governance standards. This will ensure that the virtual machines being built, are compliant with the organization’s information security requirements.

Scanner Placement

It is recommended to follow best practices for deploying Qualys scanners in your environment. This includes not having a firewall between the scanner and the virtual machine, if this is not possible, allowing full ingress to the virtual machine from the scanner is recommended as well as ensuring the number of firewalls between the scanner and virtual machine is kept to a minimum. To ensure faster scan times, it is recommended to place a scanner in the network or as close as possible to the network where the virtual machines will be created is recommended. Placing a scanner on the same network or in the same VPC of the virtual machines that will be scanned will help ensure the most accurate scan results and will simplify troubleshooting of any encountered issues with performing scans.

Where Qualys API commands run

Decide how Qualys API commands will run in your virtual machine image creation pipeline. Some options are to run the commands on the virtual machine, via the pipeline management scripts, or via aserverless function, or a tool such as Jenkins. Defining where the Qualys API commands will run will create the framework of the settings and command options needed to execute the commands.

Running Scans

Vulnerability Management Host Assets

In order to perform IP address scans on target instances, the IP address must be added to or already included in the Qualys subscription. You can check if the IP is in your Qualys subscription host assets by pulling a list of the IPs as shown below. Iterate the list for IP and IP_RANGE entries. If the IP to be scanned is not in your subscription, then it can be added as shown below.

Static IP Address Space

If the subnet where images are being built and instantiated is known, this subnet / CIDR block can be added to the Qualys subscription host assets. This is the recommended approach which provides coverage of known network configuration information for the area where instances will be scanned. If your build pipelines are run in multiple networks, network segments, or cloud environments and the IP address subnets are known, then all should be added to your host assets licenses.

Adding of the host asset IP address subnets is required in order to scan by IP address or to add to a Qualys Vulnerability Management Authentication Record. Examples of adding or removing IP addresses from Authentication Records is shows below in the Authentication Records section.

Ephemeral / Non-static

For environments where this is not a predefined know range of IP addresses that instances will be assigned, the instance IP address will need to be added to the subscription prior to adding theIPaddress to an Authentication Record or running a vulnerabilityor compliancescan of the instance. The IP address of the instance can be read from the virtual machine metadata or by extracting this from the virtual machine configuration. Once the IP address is known, it can be added to the Qualys Vulnerability Managementand/or Policy ComplianceHost Assets.

If the CIDR block for building virtual machines is known, the CIDR block can be added to the Qualys Authentication Records.

Ephemeral IP Addresses

If the build pipeline is running instances in an environment where the IP addresses are being assigned by the public cloud provider, the ephemeral IP address of the instance will need to be added to the authentication record prior to running a vulnerability management or policy compliance scan. It is recommended to perform a cleanup of the authentication record assigned IPs once the pipeline scanning is completed.

This will also require a lookup of the authentication record ID or specifying this for a specific pipeline and then updating the authentication record target IP address

Examples of adding an IP address to a Unix authentication record(Qualys Platform URL)/api/2.0/fo/auth/unix/?action=update&ids=1234567890&add_ips=1.2.3.4

Windows

Examples of adding an IP address to a Windows authentication record(Qualys Platform URL)/api/2.0/fo/auth/windows/?action=update&ids=1234567890&add_ips=1.2.3.4

Removing IP Addresses

Unix/Linux

Example of removing an IP address to a Unix authentication record(Qualys Platform URL)/api/2.0/fo/auth/unix/?action=update&ids=1234567890&remove_ips=1.2.3.4

Windows

Examples of removing an IP address to a Windows authentication record(Qualys Platform URL)/api/2.0/fo/auth/windows/?action=update&ids=1234567890&remove_ips=1.2.3.4

Vulnerability Management Scans

Qualys scanner appliances can run vulnerability scansand / or compliance scanson a system’s IP address(es). Once an instance is created from an imageand has an IP address, the virtual machine instance can be scanned.

Vulnerability scans can be run either as an authenticated scan with administrator/root privileges or non-authenticated. Compliance scans will only run via authenticated scans with administrator/root privileges.

Run Vulnerability Scan on virtual machine using the virtual machine IP address(QualysPlatformURL)/api/2.0/fo/scan/?action=launch&iscanner_id=123456789&scan_title=Candidate%20Image%20Scan123456789098&option_id=1234567890&ip=1.2.3.4&priority=5

Policy Compliance Scans

Run Vulnerability Scan on virtual machine using the virtual machine IP address(QualysPlatformURL)/api/2.0/fo/scan/compliance/?action=launch&iscanner_id=123456789&scan_title=Candidate%20Image%20Scan123456789098&option_id=1234567890&ip=1.2.3.4&priority=5

Use the Reference Value in the response to query for the status of the scan. A loop checking for completed scan status should be run to ensure the scan has completed prior to querying for the scan results.

<!--CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides theQualysGuardService "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2019, Qualys, Inc. //-->